Search results

Mandatory Documents

Please note that regarding controls from Annex A, you can have 3 scenarios:
1) The control is not applicable – in this case do document needs to be written

2) The control is applicable and the document related to the control is mandatory – the control requires activities to be performed and documented, so a document needs to be written
3) The control is applicable and the document related to the control is not mandatory - the control requires activities to be only performed, so no document needs to be written, it can be implemented only through performing activities

The scenario 2 is the case for the documents related to the controls listed in the mandatory documents. If those controls are identified as applicable, you need to develop the related documents, or you will not be compliant with the control.

These articles will provide you a further explanation about ISO 27001 controls:
- A quick guide to ISO 27001 controls from Annex A https://advisera.com/27001academy/iso-27001-controls/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding ISO 27001 controls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Approaches to meet ISO 27001 requirements

I’m assuming that your question is about the implementation steps of your purchased toolkit.

Considering that, you need to follow the steps from the toolkit, i.e., implementing the documents in the order of presented folders and documents, and to ensure people are mature in the ISMS process you need to make them aware that they need to comply with all policies and procedures. 

These materials will also help you regarding ISO 27001 implementation:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
- Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
- ISO 27001 Documentation Toolokit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Risk assessment question

1 - But if that vendor was left outside of the scope, would they still be part of the risk assessment? Would it still come up?

Answer: Please note that vendors must be included in the risk assessment if they can influence the confidentiality, integrity and availability of information within the scope - e.g. Amazon AWS (external vendor) can influence the data on the virtual server (that is included in the scope), therefore it needs to be included in the risk assessment. 

For further information, see: 
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

2 - My concern would be that if we depend on a vendor to provide a secure service, but it's not in our control so we leave it out of our scope, how would we consider and manage it? Sounds like a loophole. 

I suppose we shouldn't want to leave a vital process outside of our control to begin with, but am still wondering if there could be a loophole there... 

Answer: When some of your processes are handled by vendors, you can ensure control over them by defining proper information security clauses in the contracts signed with them, or by evaluating if their offered service agreements have all the clauses you need to ensure your information is protected.

For further information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

3 - I get why a scope has to be chosen early, but if the risk assessment comes after the scope, it just seems to me that a vital asset or vulnerability could be left out of consideration. Which would mean a different risk management framework would be needed apart from ISO 27001?

I might be going down the rabbit hole here. I really appreciated the webinar and guidance so far! It has helped me out a lot so far.

Answer: First is important to note that organizations may adopt risk management approaches that do not make use of assets and vulnerabilities (e.g., because they use a process-based, or scenario-based, risk assessment).

Considering that, if the scope is properly based on the organizational context, legal requirements, and interested parties, it is unlikely, when using the asset-threat-vulnerability risk assessment approach, that relevant assets or vulnerabilities will be no be identified. In case this occurs, you should review your initial assumptions about the scope, so there is no need to use a different risk management framework.

These articles will provide you a further explanation about context identification:

- How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 14001 Examples of providing a strategy for determining the scope of an EMS

I see such variability in certification bodies’ policy about the scope of an environmental management system (EMS) that I recommend contacting your potential certification bodies in order to ask their opinion about your potential choices for the scope.

If this toy manufacturing company has a brand, perhaps it is better to certify all factories, in order to use that in the marketing effort. If this toy manufacturing company has production units working for cost-sensitive clients (B2B) and production units working for demanding clients (B2B) perhaps these latter units are candidates for having an EMS.

Please find more information below:

• Article - How to determine the scope of the EMS according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/02/01/how-to-determine-the-scope-of-the-ems-according-to-iso-140012015/
• You can also attend this free course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Annual Internal audit schedule

ISO 14001:2015, clause 9.2.2, states that “an organization should establish, implement and maintain an internal audit program (s)”. An audit program is a set of one or more audits planned for a specific time frame”, according to ISO 9000:2015.

So, your phrase means that the “EMS Management Representative or designate” should, every year, issue an internal audit program scheduling all audits to be performed, and with what scope for each in order to audit all ISO 14001 requirements.

Please check this article about ISO 9001, but applicable to ISO 14001 too - What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/ and this figure:

You can find practical information in the links below:

• Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
• Free webinar on demand - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar-on-demand/
• You can also attend this free course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

ISO 9001 questions

Neither the IATF 16949:2016 standard nor the IATF Rule 5 have any requirements in this regard.

That is, no restriction has been defined for the number of major or minor nonconformities.

Ratio of successful cyber attacks on organisations who are ISO 27001 certified

Thank you for your comments, it makes perfect sense. 

Implementing Risk clause in food testing laboratory

In your food testing laboratory it starts with knowing the activities of critical importance - typically those tests you are accredited for, as well as for example your data and information management. Then you would do a process flow and consider where the risks may be; for example causing results to deviate. That is followed by deciding what level of risk is acceptable and taking practical actions to reduce the risk to the target level.

Have a look at section 8.5 in the Whitepaper Clause-by-clause explanation of ISO 17025:2017 available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and the ISO 17025 Toolkit preview at https://advisera.com/17025academy/iso-17025-documentation-toolkit/; which includes a procedure and registry for Risks.

Also feel free to join the webinar How to manage risks in laboratories according to ISO 17025, scheduled for 16 February. Registration is available at https://advisera.com/17025academy/webinar/iso-17025-risk-management-how-to-manage-it-free-webinar-on-demand/

QAQC

ISO/IEC 17025 is the ISO standard used by laboratories (testing and calibration). The title is General requirements for the competence of testing and calibration laboratories.

If you are asking how ISO 17025:2017 has changed from the previous version, have a look at the article ISO/IEC 17025:2005 vs. ISO/IEC 17025:2017 revision: What has changed? at https://advisera.com/17025academy/blog/2019/11/13/iso-17025-2017-vs-iso-17025-2005-key-changes-infographic/

If you are asking generally about ISO 17025, have a look at the

• Article What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/; 
• Whitepaper Clause-by-clause explanation of ISO 17025:2017 which will assist you with ISO 17025 awareness, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and
• ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

Appendix 3 of Risk Assessment

Considering your stated scenario (i.e., all four risks identified as acceptable), the documents will be filled in as follows:
- Risk Assessment Table (Appendix 1): the four risks must be filled in
- Risk Treatment Table (Appendix 2): no need to include these risks
- Risk Assessment and Treatment Report: no need to include these risks

The main content of the Risk Assessment and Treatment Report does not include the risks themselves, only a description of the used methodology and when it was applied. The risks are listed in Its annexes, the abovementioned Risk Assessment Table and the Risk Treatment Table.

Please note that finding only 4 risks for mobile devices is probably a too low number, and this might be challenged at the certification audit especially if all of these risks are acceptable.

By the way, included in the toolkit you bought, you have access to video tutorials that can help you fill in the Risk Assessment and Risk Treatment tables. 

For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

This material can also help you:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/